政府电脑保安事故协调中心 - 保安警报 (A19-05-01): Cisco 产品多个漏洞

描述:

Cisco发布了安全公告以应对发现于Cisco ASA软件及Cisco FTD软件中的多个漏洞。一些漏洞由处理VPN连接的安全断言标记语言(SAML)2.0单一登入(SSO)中的加密碰撞(cryptographic collision)和执行错误所引起。攻击者可以向受影响系统发出特制的查询、封包、传送流(traffic stream)或对话建立，或诱使用户开启恶意网页，从而攻击这些漏洞。

受影响的系统:

运行受影响ASA软件或FTB软件的Cisco产品，包括:

3000 Series Industrial Security Appliances (ISAs)
Adaptive Security Appliance (ASA) 1000V Cloud Firewall
Adaptive Security Appliance (ASA) 5500-X Series Firewalls
Adaptive Security Appliance (ASA) 5500-X Series with FirePOWER Services
Adaptive Security Virtual Appliance (ASAv)
ASA 1000V Cloud Firewall
ASA 5500 Series Adaptive Security Appliances
ASA 5500-X Series Firewalls
ASA 5505 Adaptive Security Appliance
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
Firepower 2100 Series
Firepower 4100 Series
Firepower 9300 ASA Security Module
Firepower 9300 Security Appliances
Firepower Threat Defense Virtual

以上仅为一些受影响系统的例子而并不包括所有受影响的产品。有关受影响系统的详细资料，请参阅供应商网站的相应安全公告中有关“Affected Products”的部分。

影响:

成功利用这些漏洞的攻击者可以在受影响的系统引致绕过VPN认证、跨网址请求伪造攻击、跨网址程式编程攻击、权限提升、阻断服务或系统重启。

建议:

适用于受影响系统的软件更新已可获取。受影响系统的用户应遵从产品供应商的建议，立即采取行动以降低风险。有关修补程式的详细资料，请参阅供应商网站的相应安全公告中有关 “Fixed Software” 的部分。

用户可联络其产品支援供应商，以取得修补程式及有关支援。

进一步信息:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-csrf
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-frpwrtd-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-bypass
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-entropy
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-ike-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftd-xss
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftds-ldapdos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ftdtcp-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-ipsec-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asa-vpn-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-asaftd-saml-vpn
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-firepower-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-frpwr-cmd-inj
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-frpwr-dos
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-frpwr-smb-snort
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-ftd-cmd-inject
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190501-sd-cpu-dos
https://www.us-cert.gov/ncas/current-activity/2019/05/01/Cisco-Releases-Security-Updates
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15388
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15462
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1687
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1693
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1694 (to CVE-2019-1697)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1699
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1701
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1703 (to CVE-2019-1706)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1708
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1709
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1713 (to CVE-2019-1715)

标签 : Cisco , Cisco ISA , Cisco ASA , Cisco ASAv , Cisco Firepower , Cisco FTDv , Cisco FTD